You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Cris Rockwell (Jira)" <ji...@apache.org> on 2020/05/07 17:45:00 UTC

[jira] [Comment Edited] (SLING-9397) SAML2 Authentication Handler [initial submission]

    [ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17101911#comment-17101911 ] 

Cris Rockwell edited comment on SLING-9397 at 5/7/20, 5:44 PM:
---------------------------------------------------------------

Regarding NOTICE, it's building from the Velocity template below. The template would need to be updated to place a module notice statement into this, and I made a PR to do that.
 * [https://github.com/apache/sling-apache-sling-jar-resource-bundle/blob/master/src/main/resources/META-INF/NOTICE.vm]
 * [https://github.com/apache/sling-apache-sling-jar-resource-bundle/pull/1]

 

Changing the version of sling-apache-sling-jar-resource-bundle from 1.0.0 to 1.0.1-SNAPSHOT. If that actually happens, then line 209 from the sling-parent would also need to increment the version to 1.0.1
 * [https://github.com/apache/sling-parent/blob/master/sling-parent/pom.xml]

 

After which, modules can place a notice statement in the pom.xml properties

{{<properties> }}{{<noticeStatement>}}
 

And then the NOTICE will be built using the updated template and also have whatever noticeStatement is needed by the module.

 

SAML2 Service Provider

    This module includes modified code from webprofile-ref-project-v3 [1], which has ASL2 as the license.
     [1]: [https://bitbucket.org/srasmusson/webprofile-ref-project-v3]

Copyright 2007-2020 The Apache Software Foundation

Apache Sling is based on source code originally developed
 by Day Software ([http://www.day.com/]).

This product includes software developed at
 The Apache Software Foundation ([http://www.apache.org/]).

 


was (Author: cris_rockwell):
Regarding NOTICE, it's building from the Velocity template below. The template would need to be updated to place a module notice statement into this, and I made a PR to do that.
 * [https://github.com/apache/sling-apache-sling-jar-resource-bundle/blob/master/src/main/resources/META-INF/NOTICE.vm]
 * [https://github.com/apache/sling-apache-sling-jar-resource-bundle/pull/1]

 

Changing the version of sling-apache-sling-jar-resource-bundle from 1.0.0 to 1.0.1-SNAPSHOT. If that actually happens, then line 209 from the sling-parent would also need to increment the version to 1.0.1
 * [https://github.com/apache/sling-parent/blob/master/sling-parent/pom.xml]

 

After which, modules can place a notice statement in the pom.xml properties

{{}}{{<properties> }}{{<noticeStatement>}}
{{ This module includes modified code from webprofile-ref-project-v3 [1], which has ASL2 as the license.}}
{{ [1]: https://bitbucket.org/srasmusson/webprofile-ref-project-v3}}
{{</noticeStatement>}}

 

And then the NOTICE will be built using the updated template and also have whatever noticeStatement is needed by the module.

 

SAML2 Service Provider

    This module includes modified code from webprofile-ref-project-v3 [1], which has ASL2 as the license.
    [1]: [https://bitbucket.org/srasmusson/webprofile-ref-project-v3]


Copyright 2007-2020 The Apache Software Foundation

Apache Sling is based on source code originally developed
by Day Software (http://www.day.com/).

This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).

 

> SAML2 Authentication Handler [initial submission]
> -------------------------------------------------
>
>                 Key: SLING-9397
>                 URL: https://issues.apache.org/jira/browse/SLING-9397
>             Project: Sling
>          Issue Type: New Feature
>          Components: Authentication
>         Environment: localhost
>            Reporter: Cris Rockwell
>            Priority: Major
>              Labels: SAML, authentification, security, user_management
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Here is a pull request which adds an authentication handler for a SAML2 Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>  
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution 
> "As the code is ASL2 and does not require a notice or anything else, we don't need to mention in. But I think its usually good style to do so and have a single sentence in our NOTICE that we include (modified) code from ... which has ASL2 as the license"
>  
> *TODO After Initial* 
> [ ] Get confirmation the project builds and operates as expected
> [ ] Ensure that the NOTICE file is the correct one 
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects 
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little, unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is required
> [ ] Find and fix any bugs
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)